The Haag Identity: Operation Seashell Blizzard 🌊❄️

This PR introduces comprehensive updates to our detection analytics, focusing on tagging relevant detections with the new "Seashell Blizzard" analytic story. The changes include:
Version and date updates across 20 detection files, with dates standardized to '2025-03-24' or '2025-03-25', and version numbers incremented appropriately.
Analytics tagged with "Seashell Blizzard" include:
ConnectWise ScreenConnect vulnerability detections (authentication bypass, path traversal)
Exchange Server exploitation detections (ProxyShell, ProxyNotShell, web shell)
Credential access monitoring (LSASS dumps via TaskMgr and ProcDump)
Remote access software usage detections (file, process, registry)
Scheduled task abuse detections
SQL Server xp_cmdshell configuration changes
Registry hive dumping detection
Key updates:
- Added "Seashell Blizzard" tag to 20 existing detections

These changes enhance our ability to track and detect activities associated with the Seashell Blizzard threat actor.

Author: MHaggis

detections/endpoint/connectwise_screenconnect_path_traversal.yml

@@ -1,7 +1,7 @@
 name: ConnectWise ScreenConnect Path Traversal
 id: 56a3ac65-e747-41f7-b014-dff7423c1dda
-version: 4
-date: '2024-11-13'
+version: 5
+date: '2025-03-24'
 author: Michael Haag, Splunk
 data_source:
 - Sysmon EventID 11
@@ -59,6 +59,7 @@ rba:
 tags:
   analytic_story:
   - ConnectWise ScreenConnect Vulnerabilities
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1190

detections/endpoint/connectwise_screenconnect_path_traversal_windows_sacl.yml

@@ -1,7 +1,7 @@
 name: ConnectWise ScreenConnect Path Traversal Windows SACL
 id: 4e127857-1fc9-4c95-9d69-ba24c91d52d7
-version: 5
-date: '2024-12-10'
+version: 6
+date: '2025-03-24'
 author: Michael Haag, Splunk
 data_source:
 - Windows Event Log Security 4663
@@ -57,6 +57,7 @@ tags:
   analytic_story:
   - ConnectWise ScreenConnect Vulnerabilities
   - Compromised Windows Host
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1190

detections/endpoint/creation_of_lsass_dump_with_taskmgr.yml

@@ -1,7 +1,7 @@
 name: Creation of lsass Dump with Taskmgr
 id: b2fbe95a-9c62-4c12-8a29-24b97e84c0cd
-version: 5
-date: '2025-02-10'
+version: 7
+date: '2025-03-25'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -56,6 +56,7 @@ tags:
   analytic_story:
   - Credential Dumping
   - CISA AA22-257A
+  - Seashell Blizzard
   asset_type: Windows
   mitre_attack_id:
   - T1003.001

detections/endpoint/detect_exchange_web_shell.yml

@@ -1,7 +1,7 @@
 name: Detect Exchange Web Shell
 id: 8c14eeee-2af1-4a4b-bda8-228da0f4862a
-version: 10
-date: '2025-02-10'
+version: 11
+date: '2025-03-25'
 author: Michael Haag, Shannon Davis, David Dorsey, Splunk
 status: production
 type: TTP
@@ -74,6 +74,7 @@ tags:
   - ProxyShell
   - Compromised Windows Host
   - BlackByte Ransomware
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1133

detections/endpoint/detect_psexec_with_accepteula_flag.yml

@@ -1,7 +1,7 @@
 name: Detect PsExec With accepteula Flag
 id: 27c3a83d-cada-47c6-9042-67baf19d2574
-version: 10
-date: '2025-02-10'
+version: 11
+date: '2025-03-25'
 author: Bhavin Patel, Splunk
 status: production
 type: TTP
@@ -81,6 +81,7 @@ tags:
   - BlackByte Ransomware
   - DarkGate Malware
   - Rhysida Ransomware
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1021.002

detections/endpoint/detect_remote_access_software_usage_file.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage File
 id: 3bf5541a-6a45-4fdc-b01d-59b899fff961
-version: 6
-date: '2024-11-13'
+version: 7
+date: '2025-03-24'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -81,6 +81,7 @@ tags:
   - Gozi Malware
   - CISA AA24-241A
   - Remote Monitoring and Management Software
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_fileinfo.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage FileInfo
 id: ccad96d7-a48c-4f13-8b9c-9f6a31cba454
-version: 6
-date: '2024-11-13'
+version: 7
+date: '2025-03-24'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -73,6 +73,7 @@ tags:
   - Ransomware
   - Gozi Malware
   - Remote Monitoring and Management Software
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_process.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Process
 id: ffd5e001-2e34-48f4-97a2-26dc4bb08178
-version: 6
-date: '2024-11-13'
+version: 7
+date: '2025-03-24'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -86,6 +86,7 @@ tags:
   - Gozi Malware
   - CISA AA24-241A
   - Remote Monitoring and Management Software
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1219

detections/endpoint/detect_remote_access_software_usage_registry.yml

@@ -1,7 +1,7 @@
 name: Detect Remote Access Software Usage Registry
 id: 33804986-25dd-43cf-bb6b-dc14956c7cbc
-version: 3
-date: '2025-01-10'
+version: 5
+date: '2025-03-24'
 author: Steven Dick
 status: production
 type: Anomaly
@@ -61,6 +61,7 @@ tags:
   - Gozi Malware
   - CISA AA24-241A
   - Remote Monitoring and Management Software
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id: 
   - T1219

detections/endpoint/dump_lsass_via_procdump.yml

@@ -1,7 +1,7 @@
 name: Dump LSASS via procdump
 id: 3742ebfe-64c2-11eb-ae93-0242ac130002
-version: 10
-date: '2025-02-10'
+version: 11
+date: '2025-03-25'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -73,6 +73,7 @@ tags:
   - HAFNIUM Group
   - Compromised Windows Host
   - Credential Dumping
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.001

detections/endpoint/exchange_powershell_abuse_via_ssrf.yml

@@ -1,7 +1,7 @@
 name: Exchange PowerShell Abuse via SSRF
 id: 29228ab4-0762-11ec-94aa-acde48001122
-version: 6
-date: '2025-02-19'
+version: 7
+date: '2025-03-25'
 author: Michael Haag, Splunk
 status: experimental
 type: TTP
@@ -39,6 +39,7 @@ tags:
   - ProxyShell
   - BlackByte Ransomware
   - ProxyNotShell
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1190

detections/endpoint/scheduled_task_initiation_on_remote_endpoint.yml

@@ -1,7 +1,7 @@
 name: Scheduled Task Initiation on Remote Endpoint
 id: 95cf4608-4302-11ec-8194-3e22fbd008af
-version: 7
-date: '2025-02-10'
+version: 8
+date: '2025-03-24'
 author: Mauricio Velazco, Splunk, Badoodish, Github Community
 status: production
 type: TTP
@@ -62,6 +62,7 @@ tags:
   - Active Directory Lateral Movement
   - Living Off The Land
   - Scheduled Tasks
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1053.005

detections/endpoint/windows_scheduled_task_with_suspicious_command.yml

@@ -1,7 +1,7 @@
 name: Windows Scheduled Task with Suspicious Command
 id: 1f44c126-c26a-4dd3-83bb-0f9a0f03ecc3
-version: 1
-date: '2025-02-07'
+version: 2
+date: '2025-03-24'
 author: Steven Dick
 status: production
 type: TTP
@@ -59,6 +59,7 @@ tags:
   - Windows Persistence Techniques
   - Ransomware
   - Ryuk Ransomware
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id: 
   - T1053.005

detections/endpoint/windows_sensitive_registry_hive_dump_via_commandline.yml

@@ -1,7 +1,7 @@
 name: Windows Sensitive Registry Hive Dump Via CommandLine
 id: 5aaff29d-0cce-405b-9ee8-5d06b49d045e
-version: 3
-date: '2025-02-10'
+version: 4
+date: '2025-03-24'
 author: Michael Haag, Patrick Bareiss, Nasreddine Bencherchali, Splunk
 status: production
 type: TTP
@@ -78,6 +78,7 @@ tags:
   - Industroyer2
   - Volt Typhoon
   - Windows Registry Abuse
+  - Seashell Blizzard
   asset_type: Endpoint
   mitre_attack_id:
   - T1003.002

detections/endpoint/windows_sql_server_xp_cmdshell_config_change.yml

@@ -1,7 +1,7 @@
 name: Windows SQL Server xp_cmdshell Config Change
 id: 5eb76fe2-a869-4865-8c4c-8cff424b18b1
-version: 1
-date: '2025-02-04'
+version: 3
+date: '2025-03-24'
 author: Michael Haag, Splunk
 status: production
 type: TTP
@@ -64,6 +64,7 @@ rba:
 tags:
     analytic_story:
     - SQL Server Abuse
+    - Seashell Blizzard
     asset_type: Windows
     mitre_attack_id:
     - T1505.001

detections/web/connectwise_screenconnect_authentication_bypass.yml

@@ -1,7 +1,7 @@
 name: ConnectWise ScreenConnect Authentication Bypass
 id: d3f7a803-e802-448b-8eb2-e796b223bfff
-version: 5
-date: '2024-11-15'
+version: 6
+date: '2025-03-24'
 author: Michael Haag, Splunk
 data_source:
 - Suricata
@@ -61,6 +61,7 @@ rba:
 tags:
   analytic_story:
   - ConnectWise ScreenConnect Vulnerabilities
+  - Seashell Blizzard
   asset_type: Web Server
   mitre_attack_id:
   - T1190

detections/web/nginx_connectwise_screenconnect_authentication_bypass.yml

@@ -1,7 +1,7 @@
 name: Nginx ConnectWise ScreenConnect Authentication Bypass
 id: b3f7a803-e802-448b-8eb2-e796b223bccc
-version: 4
-date: '2024-11-15'
+version: 5
+date: '2025-03-24'
 author: Michael Haag, Splunk
 data_source:
 - Nginx Access
@@ -60,6 +60,7 @@ rba:
 tags:
   analytic_story:
   - ConnectWise ScreenConnect Vulnerabilities
+  - Seashell Blizzard
   asset_type: Web Proxy
   mitre_attack_id:
   - T1190

detections/web/proxyshell_proxynotshell_behavior_detected.yml

@@ -1,7 +1,7 @@
 name: ProxyShell ProxyNotShell Behavior Detected
 id: c32fab32-6aaf-492d-bfaf-acbed8e50cdf
-version: 4
-date: '2024-11-15'
+version: 5
+date: '2025-03-24'
 author: Michael Haag, Splunk
 status: production
 type: Correlation
@@ -55,8 +55,8 @@ drilldown_searches:
 tags:
   analytic_story:
   - ProxyShell
-  - BlackByte Ransomware
   - ProxyNotShell
+  - Seashell Blizzard
   asset_type: Web Server
   mitre_attack_id:
   - T1190

detections/web/windows_exchange_autodiscover_ssrf_abuse.yml

@@ -1,7 +1,7 @@
 name: Windows Exchange Autodiscover SSRF Abuse
 id: d436f9e7-0ee7-4a47-864b-6dea2c4e2752
-version: 4
-date: '2025-01-16'
+version: 5
+date: '2025-03-24'
 author: Michael Haag, Nathaniel Stearns, Splunk
 status: production
 type: TTP
@@ -59,6 +59,7 @@ tags:
   - ProxyShell
   - BlackByte Ransomware
   - ProxyNotShell
+  - Seashell Blizzard
   asset_type: Web Server
   cve:
   - CVE-2021-34523

stories/seashell_blizzard.yml

@@ -0,0 +1,23 @@
+name: Seashell Blizzard
+id: 72d9b847-0600-4cb6-8f70-516cc662a55c
+version: 1
+status: production
+date: '2025-03-24'
+author: Michael Haag, Splunk
+description: Seashell Blizzard is a threat actor known for targeting organizations globally through a sophisticated campaign leveraging Exchange Server vulnerabilities, custom tools, and living-off-the-land techniques for persistent access and data collection.
+narrative: Seashell Blizzard operates through a multi-stage attack chain that begins with Exchange Server exploitation and progresses to establishing persistent access through various techniques. The group's initial access typically involves the exploitation of Exchange Server vulnerabilities including ProxyShell and ProxyNotShell, followed by web shell deployment through compromised Exchange paths and credential harvesting using renamed system tools and Task Manager UI.
+  The threat actor maintains persistence by deploying scheduled tasks, installing OpenSSH with custom keys, and making registry modifications for automatic execution. Their command and control infrastructure leverages Tor hidden services (ShadowLink) alongside legitimate remote access tools and custom tunneling utilities for covert communications.
+  For lateral movement and data collection, Seashell Blizzard extensively abuses Exchange PowerShell for mailbox access while conducting NTLM credential theft and systematic enumeration of network resources. The group demonstrates sophisticated operational security, often using legitimate system tools and living-off-the-land binaries to blend in with normal system operations. Their focus appears to be on long-term persistence and data collection, with particular emphasis on email data and network credentials.
+  Detection strategies focus on identifying suspicious Exchange Server activity, monitoring for unusual PowerShell commands, tracking scheduled task creation, and identifying anomalous system tool usage in sensitive contexts. The group's ability to maintain long-term access while evading detection makes them a significant threat to organizations globally.
+references: 
+- https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/
+- https://edgewaterit.com/2025/02/20/seashell-blizzard-apt/
+tags:
+  category:
+  - Adversary Tactics
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  usecase: Advanced Threat Detection
+  cve: []